AD snapshots. They sound nice don't they?
And they sort of are.
The details on how to set them up are here:
http://sites.google.com/site/tdmref/Home/active-directory/ad-snapshots
The main issue I have is that there are no good ways to export the data into the AD. You can develop a script, use csvde, ldifde, but not really easy in times of crisis.
You should be aware that all snapshot data is read only and is, by default, only accessible to domain and enterprise admins.
The Directory Service Comparison Tool does provide a nice interface to doing some of these things. The only issue I had with it is that after loading the snapshot and the AD, it didn't show any changes that had occurred in the live AD since the snapshot.
Now, this may be me, but I haven't seen anything on t'internet that tells me otherwise.
It will pick up any changes that you make to the AD while the mounted snapshot is active.
You can then reanimate and restore attributes.
However, if it can't tell me the initial differences between a snapshot and the AD, it ain't no good to me as it would have to be running all of the time otherwise.
Tuesday 27 October 2009
Preventing OU Deletion
When you create an OU in W2K8 console, there is an option to prevent it from accidental deletion.
If you choose this, it just adds an ACE for Everyone, which denies "Delete" and "Delete Subtree" on the OU.
If you choose this, it just adds an ACE for Everyone, which denies "Delete" and "Delete Subtree" on the OU.
Owner Rights Restrictions
W2K8 adds a new well-known security descriptor - Owner Rights (S-1-3-4).
This overrides the traditional owner rights that are granted to CREATOR OWNER on a file (such as being able to change the DACL).
This is useful in an AD delegation model where you want a group to be able to create but not delete objects. Under the old model, they'd be able to delete those that they created. This new SID allows you to prevent that behaviour.
Owner rights will only work when all DCs are running W2K8. Otherwise the Owner Rights ACE is ignored by down-level DCs.
See this link for a good description of how to use Owner Rights:
http://technet.microsoft.com/en-us/library/dd125370(WS.10).aspx
This overrides the traditional owner rights that are granted to CREATOR OWNER on a file (such as being able to change the DACL).
This is useful in an AD delegation model where you want a group to be able to create but not delete objects. Under the old model, they'd be able to delete those that they created. This new SID allows you to prevent that behaviour.
Owner rights will only work when all DCs are running W2K8. Otherwise the Owner Rights ACE is ignored by down-level DCs.
See this link for a good description of how to use Owner Rights:
http://technet.microsoft.com/en-us/library/dd125370(WS.10).aspx
Monday 26 October 2009
Restartable AD
AD in W2K8 is restartable as a service.
This can allow an offline defrag (though whether this is of much use is debatable). However, it does allow the ntds.dit file to be compacted so you will likely see a decrease in the size of the file.
AD does do a regular (12 hours) online defrag as part of ongoing garbage collection process. This optimises data storage and disposes of tombstone objects, but won't decrease the size of the database.
Therefore the offline defrag can help to shrink the database and allow it to more easily be held in memory space and gain the performance gains that that entails.
See link for instructions.
http://sites.google.com/site/tdmref/Home/active-directory/offline-defrag-restartable-adds
This can allow an offline defrag (though whether this is of much use is debatable). However, it does allow the ntds.dit file to be compacted so you will likely see a decrease in the size of the file.
AD does do a regular (12 hours) online defrag as part of ongoing garbage collection process. This optimises data storage and disposes of tombstone objects, but won't decrease the size of the database.
Therefore the offline defrag can help to shrink the database and allow it to more easily be held in memory space and gain the performance gains that that entails.
See link for instructions.
http://sites.google.com/site/tdmref/Home/active-directory/offline-defrag-restartable-adds
Subscribe to:
Posts (Atom)